In this section

• Home
• Press office
• News archive
• Articles
• 2004
• 09

• Journalists' guide
• News archive

Talk to our experts

• Press contacts

Resources

• Sophos Podcasts
• SophosLabs blog
• Graham Cluley's blog
• Image gallery
• Customer case studies
• Free anti-virus
• White papers
• Awards and reviews
• Industry affiliations

Info feeds

• Security news
• Company news

• Security news
• Company news

What are info feeds?

15 September 2004

To snoop or not to snoop?

To snoop or not to snoop: that is the question:
Whether 'tis nobler in your job to suffer
The slings and arrows of outrageous oversight
Or to take arms as noted by your union,
And by opposing end them?

(Apologies to W. Shakespeare, Esq.)

A Sophos poll of more than 1,000 computer users at small- to medium-sized businesses (SMBs), has revealed that over 50 percent of employees felt that their employers should take preventative action to help ensure that spam containing violent, pornographic and other offensive content does not find its way to their inboxes. Furthermore, only 13 percent of people thought that this should not be the employer's responsibility.

These results, whilst hardly surprising, come at a time when unions and privacy advocates in Australia are calling for clearer and more restrictive guidelines concerning email surveillance by employers.

"Employers are on the horns of a dilemma here," said Paul Ducklin, Sophos's Head of Technology, Asia Pacific. "There is a certain moral repugnance in the idea of employers reading all their employees' email, even in those legal jurisdictions which offer no expectation of privacy when employees use company equipment to communicate. But there is a certain social irresponsibility in the idea of employers not filtering their employees' mail to prevent the flow of spam, phishing and viruses in and out of the company."

As Ducklin explains, effective corporate anti-virus and anti-spam filtration requires that all email - inwards, outwards and internal - be examined in considerable detail, though by a computer rather than a human. This includes character-by-character, word-by-word and attachment-by-attachment analysis, and results in an often very detailed characterisation of each email's content.

Most unwanted email can be identified automatically in this way, but suspicious emails (such as those containing unknown programs or documents, which can carry viruses, backdoors and keyloggers) may be quarantined for later review. Often this review is done by a human - typically an IT staffer with the technical know-how to asses the safety or suitability of the quarantined item.

Ducklin offers some suggestions for "responsible surveillance" so that employers can balance privacy and security to help ensure an email environment which is neither dangerous nor repressive:

• Make sure that employees are aware of what filtering you are doing and what benefits this has for each individual. For example, by blocking viruses and Trojans, you reduce the risk of damage to business operations and of the loss of confidential data.
   
• Make sure that you manage your employees' expectations of the filtering you are doing. No computerised filtration process can achieve perfect results (Alan Turing proved this back in the 1930s). For example, by filtering spam, offensive email such as pornography and hate mail will be drastically reduced, but you cannot guarantee to eliminate it.
   
• Make sure that your company has a code of conduct for IT staff who will administer the email filtering computers. Administrators of these computers will typically have access to logs and quarantined emails, which they must treat with the respect they deserve.
   
• Consider using a quarantine system which allows employees to review their own messages. For example, Sophos PureMessage includes a feature to send users a regular summary of messages intercepted on their behalf. They can then choose whether to release them automatically or to request further analysis. Emails not requested are automatically removed from the system after a short time.
   
• Take the advice of Bill Cheswick and Steve Bellovin, long-standing internet security experts and authors of "Firewalls and Internet Security": when implementing computer security measures, always try to adhere to moral standards higher than those strictly required by law.
   

Sophos has free guidelines for the effective management of viruses and spam in corporate email:

• Simple steps to defend against viruses
• Spam best practice

Sophos's email filtering solutions, PureMessage and MailMonitor, are available for free evaluation.

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot

About Sophos

Sophos enables enterprises all over the world to secure and control their IT infrastructure. Sophos's network access control, endpoint, web and email solutions simplify security to provide integrated defenses against malware, spyware, intrusions, unwanted applications, spam, policy abuse, data leakage and compliance drift. With over 20 years of experience, Sophos protects over 100 million users in nearly 150 countries with its reliably engineered security solutions and services. Recognized for its high level of customer satisfaction and powerful yet easy-to-use solutions, Sophos has received many industry awards, as well as positive reviews and certifications.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com